Route 53 Private Hosted Zone Explained (With Illustration)

👋 Hi! I’m Bibin Wilson. In each edition, I share practical tips, guides, and the latest trends in DevOps and MLOps to make your day-to-day DevOps tasks more efficient. If someone forwarded this email to you, you can subscribe here to never miss out!

AWS Route 53 is a managed DNS service that handles DNS for both AWS and non-AWS resources.

In production setups, many applications run in private VPC subnets. To use DNS names for these internal services, you need private DNS, DNS that works only inside the VPC or through VPN access.

This is where Route 53 Private Hosted Zones help. They allow DNS resolution within AWS’s internal DNS system, limited to the VPC. So, you don’t need to set up your own DNS server.

In short, Private Hosted Zones let you use custom domain names for internal AWS resources without exposing them to the public internet.

Route53 Private DNS Workflow

Step 1: User types argocd.devopscube.com in browser The browser asks the OS: “What’s the IP for this domain?”

Step 2: OS checks /etc/resolv.conf This file tells the system which DNS server to use. Because of the VPN connection, this is set to 10.0.0.2 (a custom DNS pushed by the VPN config).

Step 3: DNS query is sent to 10.0.0.2 through VPN The request travels over the encrypted VPN tunnel to the VPN server in AWS.

This DNS server is the VPC’s built-in resolver, pointing to the VPC’s Route 53 private hosted zone.

Step 4: VPC DNS Resolver checks Route 53 Private Hosted Zone. It looks for argocd.devopscube.com in the private zone.

If found, it returns the private IP (like an internal Load Balancer or EC2).

Step 5: DNS response is returned via VPN tunnel The IP address is sent back to the local machine through the VPN.

Step 6: Browser connects to the private IP over VPN Your browser now sends traffic to that private IP through the VPN tunnel.

The VPN server decrypts and forwards the traffic to the EC2/Load Balancer/RDS.

Understanding AWS DNS Resolver

In every AWS VPC, the VPC’s default DNS resolver is reachable at the address <VPC CIDR base> + 2

For example, in a VPC with CIDR 10.0.0.0/16, the DNS server is at 10.0.0.2. This DNS resolver is managed by AWS. You don’t manage or operate it yourself . You can't override or change it; it’s baked into AWS’ DHCP and network infrastructure

VPN & DNS Config

When you set up a VPN (like Pritunl), you can configure it to use the AWS DNS server in its settings.

So, when you connect to the VPN, it pushes a custom DNS server (for example, 10.0.0.2) to your system. Your system then updates /etc/resolv.conf (on Linux) or DNS settings (on Windows or Mac) to use this internal DNS server.

What if the same domain exists in public DNS too?

There are situations where we use Split-Horizon DNS, meaning the same domain name exists in both public and private DNS zones.

Here’s what happens in such cases:

With VPN,

Your VPN client overrides your DNS config. All DNS requests go to 10.0.0.2 (VPC resolver), so the public DNS is bypassed. This ensures you get the private/internal IP, not the public one.

Without VPN,

Your system will use the public DNS (like Google 8.8.8.8). It will resolve argocd.devopscube.com to a public IP (if it exists), and you’ll hit the wrong (or blocked) endpoint.

Creating Private Hosted Zone

Creating a Hosted Zone on AWS is very simple. Here’s a quick snapshot of a basic configuration for a Private Hosted Zone.

Here’s a snapshot of how to add a DNS record to a Private Hosted Zone.